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1 PRELIMINARY NOTES 


In order to provide a starting point for the development of practicable data privacy specifications for А! 
systems at Deutsche Telekom, the broad public discussion on artificial intelligence was focused on 
the current data protection requirements of Deutsche Telekom. 

This guideline is intended for product and business model managers, developers, Privacy and 
security Assessment (PSA) requesters of systems and projects with an Al component and data privacy 
experts. 

According to the General Data Protection Regulation (GDPR), a distinction can be made between Al 
systems which, as assistance systems, support people in their decisions and systems which make 
decisions independently (automated individual decisions). The GDPR applies to Al-supported 
assistance systems. Article 22 GDPR contains special regulations for so-called ADM systems 
(Algorithmic Decision Making). 

Irrespective of this legal differentiation between different Al solutions, Deutsche Telekom applies 
uniform governance to Al projects that covers both Al assistance systems and ADM systems. 

This guideline is intended to provide the necessary orientation and security of action for the 
operationally responsible body in the phase between the business or product idea and the PSA 
procedure. 


2 GENERAL QUESTIONS 


2.1 What 15 artificial intelligence? 


Current Al systems represent a combination of analysis systems based on formalized expert 
knowledge (Data Warehouse, Business Intelligence) and machine learning as well as the targeted 
application of what has been learned. In the algorithmic decision-making process, which is regularly 
used as the basis for an Al, an assessment is made on the basis of information, which leads to a 
decision, forecast or recommendation for action. Thus, not only the data processing itself, but in 
particular the decision as a consequence of the processing bears a potential risk for the data subject. 
The classical IT with its elements "input" - "processing" - "output" is extended by the abilities 
"perceiving" - "understanding" - "acting" - "learning"!. These characteristics, which until now have only 
been assigned to humans, can now also be performed by machines to an Increasingly greater extent. 
The term "understanding" 15 new territory in connection with computers and must be critically 
accompanied with regard to traceability and adherence to ethical values. Machine learning refers to a 
series of optimization methods т artificial neural networks, among others. Al systems can have very 
complex structures between the input and output layers. By mapping several hierarchical processing 
layers, machine learning can become considerably more efficient (Deep Learning). However, this 
inevitably results in a loss of traceability in Al decisions. Due to the complexity of the algorithms and 
the multitude of arithmetic operations performed by the machine, the deeper processing layers 
(hidden layers) elude transparency п the decision criteria and their weighting. Although the 
disclosure of the algorithms on which the Al 1$ based 1$ a core demand in the current debate about 
more transparency in Al systems, the concrete verification of the decision logic of highly complex Al 
systems on the basis of disclosed algorithms is likely to be difficult in practice. "Explainable Al 
systems" is an approach that is currently being intensively researched. In future, К would be desirable 
for Al systems to provide information regarding the decision criteria and their weighting in decisions 
beside the factual results of an Al based data processing. 


' see also: Bitkom position paper: https: | 
DFKI-Positionspapier-Digital-Gipftel-Al-und-Entscheidungen-1306201 /-2.pdf 
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It is more practical at this stage to monitor the decision-making processes of Al systems from "outside", 
where the decisions taken by the Al are reviewed against a pre-determined purpose of the system and 
ethics governance. 


Al decisions that are outside the expected range can be identified and intervention can be taken. 
Tools developed specifically for the analysis of Al decisions can Пер. However, the principle applies, 
that monitoring machines exclusively by machines 15 paradoxical. Human judgements must always 
dominate Al monitoring processes. 


In addition to the efficiency of the learning mechanisms, successful machine learning depends по! 
least on the quantity and quality of the available data. The "Big Data" trend in IT and the mass 
availability of data are currently significantly accelerating the development of Al systems. 


Transparency of data sources used and the lawfulness of their processing in Al systems are therefore key 
data privacy requirements. 


The very complex psychological and emotional processes of human knowledge and decisions are 
likely to remain hidden from the machines for some time to come. When evaluating and weighing up 
data privacy law, it must therefore be borne in mind that machine decisions are based on different 
principles and mechanisms than those applied to human decisions. 


In order to achieve the necessary security in dealing with Al systems, comprehensive ethical and legal 
governance for Al decisions must be effectively implemented. 


All ethical rules of conduct agreed in the Group and all compliance requirements that are binding for 
organizational units and every employee must also form the basis for decisions on Al systems. 


2.2 Which specitic data privacy legal questions need to be clarified within the case of Al- 
projects? 


In the Group, we design data privacy-compliant Big Data, ВІ, Data Warehouse and Data Analytics 
systems on a daily basis and have sufficient experience and specifications in dealing with data 
protection issues relating to these IT processes. With Al systems and Al-supported business models, 
of course, all these existing data protection requirements must be applied and complied with. This 
applies in particular to the question of the permissibility of the processing of personal data. 


In addition, the following specific questions essentially arise in the evaluation of Al systems under 
data protection law: 


1. How are transparency and action rights of the user / data subject guaranteed? 


Contracts and customer processes must be designed in such a way that the type and scope of the 
share of Al-supported decisions is transparent. It must therefore be clear whether an Al system is 
being used and how big the part of the decisions making process of the Al actually 15. 

The legally required objection and complaint possibilities must be implemented processually in the 
business model and should be useable in a simple way. 
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2. How is (internal) transparency regarding Al decisions ensured апа how do we control and monitor А! 
systems? 


As part of a balancing process, an appropriate control method and monitoring intensity must be 
established for the decisions of an Al system. It must be checked whether decisions made / 
recommended by the Al system are in line with the previously defined purpose of the Al system, the 
needs of the data subject and the ethical principles of our company. Ethical principles are all rules of 
conduct that we have established in our company for dealing with each other and with our customers. 
These include, in particular, the respectful handling of personal rights, fairness, non-discrimination, 
social participation and pluralism. 


In our opinion, Al systems are compliant to data privacy regulations if, 


= the lawfulness of the processing of all data (sources) is guaranteed, 

= the use of Artificial intelligence is sufficiently transparent to all participants, 

= There are possibilities for regulation in the case of allegedly existing wrong decisions, 

= {һе decision-making processes of Al systems are regularly monitored and 

= jt can be ensured that any decision taken by the Al is always in line with the Group's Digital 
Ethics Guidelines. 


In order to comply with the transparency requirements of the GDPR for Al systems, the user must be 
able to rely on the fact that the ethical principles for Al decisions are transparent, observed and 
effectively monitored. The specialist’s project responsibility also includes the mapping and 
implementation of the transparency and control processes required for this 


3 CONCRETE DATA PRIVACY REQUIREMENTS OF THE 
GROUP DURING THE DESIGN OF АІ PROJECTS 


Deutsche Telekom has committed itself to a transparent and people-centric approach to Al systems 
under the aspect of "digital responsibility" in nine guidelines. 


httos://www.telekom.com/en/company/digital-responsibilit 


In the following, Group Privacy specifies the data protection requirements that apply to the individual 
guidelines: 


We are responsible. 
= The purpose of the Al system used must be finally determined and documented; 
= The responsibilities for the business model / product are clearly detined. The responsibility for 
purchasing, development and proper operation of the Al elements is also clearly assigned; 
= The legality of the use of all used data sources as well as the data is proved and documented. 
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We care. 


In order to control the decisions of the Al system, an appropriate and effective monitoring 
process has to be implemented by the responsible technical unit. The monitoring process 
must at least meet the following requirements: 
= Data subjects affected by the Al decision may address a complaint. The Al's 
decision that gave reason to the complaint must be reviewed with regard to the 
compliance with the agreed business purpose and Юг compliance with Group 
governance. The decision must be made comprehensible to the complainant 
and, in case of doubt, corrected. 
= All employees entrusted with the operation of the Al system are particularly 
sensitized with regard to the range of expected decisions of the Al system 
within the scope of the intended purpose and the relevant governance 
requirements. If the employees have indications for a deviation of the Al 
decisions Нот the specified decision range, immediate intervention must be 
possible ("emergency stop button"). The causes of the detected deviations 
must be identified and documented. If necessary, corrective measures must be 
implemented before the Al system is resumed. 
= Depending on the criticality of the processed data or the scope of the decisions 
made by the Al system, the responsible professional unit shall review the Al 
system at regular intervals. The decisions of the Al system are to be checked 
for compliance with the governance requirements. The result must be 
documented. The type and scope of the checks to be carried out are agreed 
between the technical responsible unit and GPR within the framework of the 
PSA process and are mapped processually in regular operation. 
For each Al project, a data privacy impact assessment must be carried out as part of the PSA 
procedure. Risks have to be analyzed and measures for risk reduction have to be defined and 
implemented in the project. 


We put our customers first. 


The highest benchmark for the design of Al-based business models is the integrity of the 
personal rights of the affected customers or employees. If personality rights are impaired, trust 
is lost. Without trust, there is no business success and the reputation of the Group 15 
damaged. Al solutions are therefore conceived and developed by the customer’s/employee’s 
point of view. 


We are transparent. 


It must be transparent to Customers and employees at all times as to whether they 
communicate with an Al system and what part the Al system plays in decisions making 
process. 

It must be transparent to Customers and employees as to which of their data is processed in 
an Al system and for what purpose. 

It must be possible to question Al decisions by the data subject and to explain the decision in 
a comprehensible way 


We are secure. 


In addition to the requirements specifically mentioned here, all data privacy and data security 
requirements established in the Group also apply when designing Al-Ssupported business 
models and products. 
The Privacy and Security Assessment (PSA) procedure is mandatory for all Al-based business 
models and products. 
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We set the grounds. 


= The development of our own Al systems must take the ethical and legal requirements for our 
Group into account at the development stage (Privacy by Design, Ethic by Design, 
Transparency by Design). 

= Purchased Al systems must be able to comply with our ethical and legal requirements in 
practical operation. If this is not guaranteed, the product cannot be used. This must be 
evaluated and documented before using external Al systems. 


We keep control. 


= \rrespective of the monitoring processes mentioned above, Al systems and their operating 
processes must be designed in such a way that immediate intervention to prevent or reduce 
damage 1$ guaranteed. 


We foster the cooperative model. 


= To regard humans and their personal rights as a benchmark for the design of Al systems does 
not exclude far-reaching cooperation between humans and machines. Through innovative 
ideas and the consideration of human interests already in the planning and development ot Al 
business models and products, we are able to establish standards that ensure lasting trust in 
Deutsche Telekom's products and enable fruitful cooperation between human and machine. 


We share and enlighten. 


= We share our ideas for a privacy-compliant design of Al business models and products with 
others and thus promote our high standards. 


4 THE CONTROL PROCESSES 


Al CONTROL PROCESSES Беч 
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channel for question / 
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The following process-related requirements must be mapped by the responsible operational 
departments: 


= Ensure and monitor transparency regarding the Al component in the business model and the 
established control processes vis-a-vis the data subject. 

= Ensure and monitor impact and complaint processes for all parties involved т data 
processing. 

= Monitoring of Al decisions for compliance with the defined purpose of the system and Al 
governance. 


5 PRIVACY ASSESSMENT Al 


Due to the limited scope of application of data privacy standards, the data privacy framework is always 
only a sub-area that must be considered within the framework of an Al and the underlying processes 
and which standardizes the relevant requirements. Procedures that are based trom the outset or due 
to corresponding measures (anonymization) on information that has no personal reference fall outside 
the scope of data privacy regulations (e.g. GDPR). In addition, data privacy standards primarily aim at 
the protection of individual rights of the individual. Group- or company-related goals, such as non- 
discrimination and participation, are regularly not safeguarded. However, п the area to which the 
provisions of the GDPR apply, there are already sufficient regulations and requirements concerning Al 
and the underlying algorithmic decision-making procedures. There are both specitic standards dealing 
with these procedures and general principles and requirements of data privacy to be observed due to 
the processing of personal data in the context of Al. 

There are roughly two types of algorithmic systems. Art. 22 GDPR contains specific provisions on 
systems that evaluate people and make algorithmic decisions (Algorithmic Decision-Making Systems, 
or ADM systems for short). 


This must be distinguished от decision support systems, which "only" support the decision maker т 
the human decision and only serve to prepare human decisions (Decision Support Systems, or DS 
systems for short). The latter can be used to any extent within the framework of the general 
requirements of the GDPR. 


From the data privacy point of view, It is therefore initially decisive whether the scope of data privacy 
law has been opened up. 


Definition: Personal data and/or personal related data 


Then - as with any data processing - the general requirements of the GDPR must be observed. Here, 
reference can be made to already existing guidelines, e.g. on Big Data. The specitic requirements ої 
Art. 22 GDPR on automated individual decision-making (including profiling) apply only in the event 
that an ADM system is also used within the framework of the Al, i.e. algorithm-based decisions аге 
made automatically and not merely prepared. 


5.1 Basic principle: Prohibition of an automated individual decision-making 


Pursuant to Art. 22 GDPR, individuals have the right not to be subject to a decision based exclusively 
on automated processing - including profiling - which has legal effect on them or significantly affects 
them in a similar manner. Profiling is defined in Art. 4 para. 4 GDPR and forms a subset of the 
automated individual case decision. 
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5.1.1 Exclusively automated processing 


Art. 22 GDPR therefore only covers systems in which the decision is based "exclusively on automated 
processing’ without any human influence. However, the possibility of influencing or involving humans 
must not be merely a formal act but must offer scope for co-responsibility in terms of content, i.e. 
humans must also be able to decide against the recommendation without fear of disadvantages. 


9.1.2 Legal effect or considerable detraction 


Furthermore, the decision must have a legal effect vis-a-vis the data subject or significantly affect him 
or her. A “legal effect" can always be said to exist if the decision changes the legal position of the data 
Subject. A "considerable impairment" can always be assumed if the economic or personal 
development of the data subject is significantly disturbed. 


5.1.3 Exceptions 


According to Art. 22 para.2 GDPR, systems of automated decisions are "exceptionally" permissible if 
(a) the decision is necessary for the conclusion or performance of the contract between the data 
Subject and the data controller, (b) the ADM decision has been declared admissible by a statutory 
provision in the data subject's country, or (c) the decision is made with the data subject's express 
consent. 


5.1.4 Special categories of personal data 


Art. 22 para. 4 GDPR provides a special limit for the admissibility of ADM systems: The use of special 
categories of personal data within the meaning of Art. 9 рага.1 GDPR may not be used for automated 
decision-making - unless the data subject has consented or EU or national legislation permits this for 
reasons of substantial public interest. 


5.1.5 Adequate protective measures 


If an automated individual decision is finally exceptionally permissible under Art. 22 para. 2 or para. 4 
GDPR, Art. 22 para. 3 GDPR lays down specific requirements with regard to accompanying 
appropriate measures "in order to safeguard the rights and treedoms as well as the legitimate interests 
of the data subject" Art. 22 рага. 2 b, para. З and para. 4 GDPR. Article 22 para. З and recital 71 of the 
GDPR provide guidance on these measures. These are procedural measures and technical measures. 


Procedural measures: 
" Right to request the intervention of a person 
= Right to express one's own point of view 
= Right to appeal against a decision 


Contrary to the wording, it will probably be assumed that these rights must not be granted 
unconditionally, but tor legitimate reasons in individual cases. 


Examples of technical measures: 
= Appropriate mathematical or statistical methods 
= Technical and organizational measures to avoid incorrect personal data 
= Regular review of the data records and the procedure (audit algorithms if necessary) 
" Test routines during develooment and operation 
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Further details can also be derived from the opinion of the Article 29 Working Party (October 2017).2 
5.2 Basic principles of the processing 


Both with regard to the processing of personal data within the framework of ADM systems and with 
regard to systems such as DS systems which do not fall under the special requirements of Art. 22 
GDPR, the principles of processing personal data within the meaning of Art. 5 GDPR must be 
observed. These principles are in turn substantiated by a number of individual provisions in the 
GDPR. 


These include legality, transparency, purpose limitation, accuracy, integrity and confidentiality of the 
processing and accountability. 


5 Transparency 


The transparency obligations include the obligation to inform the data subject about the data 
processing (АП. 13 and 14 СОРА). The information duties are intended to ensure that the data subject 
learns about the data processing and its scope so that he or she can effectively exercise his or her 
rights. 


In the case of automated decision-making pursuant to Art. 22 para.1 and para.4 GDPR, the data 
Subject must be informed that an ADM system is being used. In addition, "meaningful information on 
the logic involved and the scope and desired effects of such processing for the data subject" is 
required (Art. 13 para. 2 lit. f and Art. 14 para. 2 lit. а GDPR). 


since the right of the data subject to obtain meaningful information is regularly opposed in this case 
to the legitimate interest of the responsible party in the protection of his business secrets (also recital 
63 GDPR), this does not automatically mean that the algorithm of the procedure must be 
communicated. However, the purpose and criteria to be taken into account т decision-making should 
be disclosed (see also Article 29 Working Party). 


The principle of proportionality will also have to be applied. The transparency obligations also include 
the right to information pursuant to Art. 15 GDPR, according to which the data subject has the right to 
demand information от the person responsible about the purpose and scope of the data processing. 
The right to information is intended in particular to enable the data subject to check whether the data 
are being processed lawfully. In the case of automated decision-making pursuant to Art. 22 para.1 and 
para.4 GDPR, the information must also contain "meaningful information on the logic involved as well 
as the scope and intended effects of such processing on the data subject" (Art. 15 (1) lit. h СОРН). 


It should be noted that the legal wording allows considerable scope for interpretation, so that it can be 
assumed, that just abstract information about the system functionality is required and not the 
disclosure of the algorithm. 


However, if a Decision Support System (DS-System) is used which merely supports or recommends 
decisions, the special transparency obligations of Art. 13 para. 2 lit. Tor Art. 14 para. 2 Ш. а GDPR are 
not applicable. 


A special legal framework applies to automated individual decision-making in the field of public 
administration, where statutory provisions already provide for an obligation to state reasons with 
regard to the comprehensibility of a decision. 


2 ,Guidelines to automatized decisions on an individual basis including profiling for the purposes of the 
regulation2016/679", WP251 геуй1 - http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053 
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5.4 Data privacy impact assessment 


If data processing is likely to pose a high risk to the rights and freedoms of data subjects, the data 
controller must first carry out а data privacy impact assessment (Art. 35 para. 1 GDPR). The data 
privacy impact assessment is thus an important instrument for fulfilling the obligation under Art. 5 
para.2 GDPR to demonstrate compliance with the GDPR ("accountability"). In addition, the data 
privacy impact assessment has the function of an early warning system and a risk analysis which can 
prevent a potential violation of personal rights. Within this framework, а certain degree ої 
documentation of the underlying algorithms will be required - especially in order to be able to carry 
out a sufficient risk assessment. 


In the case of automated decision making (ADM system), the data privacy impact assessment 1$ 
generally mandatory under Art. 35 para. 3 lit. а GDPR - but т the view о the Article 29 Data Protection 
Working Party, constellations are also covered in which the algorithm is only used in preparation for 
decision support (DS systems). The Data Protection Conference (body of the German data protection 
Supervisory authorities) has published a list of processing operations tor which a data privacy impact 
assessment must always be carried out in accordance with the provisions of Article 29 of the Data 
Protection Working Party’. If it emerges from the data privacy impact assessment that the processing 
would result in a high risk for the rights and freedoms of the data subjects, provided that the data 
controller does not take measures to contain the risk, there is finally an obligation to consult the 
Supervisory authority pursuant to Art. 36 (1) GDPR. 


The necessary data protection impact assessment is part of the Privacy and Security Assessment 
(PSA) procedure. 


6 EXISTING REQUIREMENTS TO BE OBSERVED WHEN 
VALUATING Al PROJECTS 


6.1 General specifications 


The Privacy and Security Assessment (PSA) must be completed for all П/МТ systems in the Group and 
for all Telekom products. 


6.2 BigData 


Whitepaper Group Privacy on data privacy compliant design of data-driven business models. 
OnePager for data privacy compliant design of data-driven business models. 


Guiding principles of Deutsche Telekom for BigData: 


httos://www.telekom.com/resource/blob/323582/dcd/8db4c /aet/404302499/41 /9e/03/dl-guiding- 
orinciples-big-data-data.pdt 


З httos://www.datenschutzkonferenz-online.de/media/ah/20181017 ап DSK DSFA Muss- 
Liste_Version_1.1_Deutsch.pdf 
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7 OVERVIEW OF ALL DATA PRIVACY LEGAL 
REQUIREMENTS 


All specific requirements from this guide in the overview: 
Г.Л Before realization of the Privacy апа Security Assessment (PSA) 


= The purpose of the Al system 15 conclusively determined. 

= The responsibilities for the business model / product / IV processes are clearly defined. 

= The planned use of the Al solution is conceived and developed by the customer’s/employee’s 
point of view. 

= Purchased Al systems must be able to comply with our ethical and legal requirements in practical 
operation. If this is not guaranteed, the product cannot be used. This must also be evaluated and 
documented before using external Al systems. 


7.2 During the Privacy and Security Assessment 


= Тһе lawfulness of the processing of all data (sources) is guaranteed. 

" An appropriate and effective monitoring process has been implemented to monitor the decisions 
of the Al system. 

= A data privacy impact assessment was carried out for the project. 

= The development of our own Al systems must take the ethical and legal requirements of our Group 
into account at the development stage (Privacy by Design, Ethic by Design, Transparency by 
Design). 

= Al systems and their operational processes must be designed in such a way as to ensure 
immediate intervention to prevent or reduce damage 1$ possible. 


Г. Оп completion of the Privacy and Security Assessment 


= It must be transparent at all times to Customers and employees as to whether they communicate 
with an Al system and what part the Al system plays т decisions made. 

= Customers and employees must be transparent as to which of their data is processed in an Al 
system and for what purpose. 

= Al decisions must be questioned by the data subject and the decision must be explained in a 
comprehensible way. 

= Continuous monitoring of Al decisions for compliance with the defined purpose of the system and 
Al governance. 
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